±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35880
New Yesterday: 1 Visitors: 155

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Boot a DD into a Virtual Machine with VirtualBox

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

Mreza
Senior Member
 

Re: Boot a DD into a Virtual Machine with VirtualBox

Post Posted: Sep 18, 17 10:16

StarWind V2V Converter  
 
  

infosecwriter
Member
 

Re: Boot a DD into a Virtual Machine with VirtualBox

Post Posted: Sep 19, 17 20:50

- jaclaz
What happens?

Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.

jaclaz
Thank you for the suggestion. I am traveling through client sights this week. I will try this when I get back and let you know.  
 
  

jaclaz
Senior Member
 

Re: Boot a DD into a Virtual Machine with VirtualBox

Post Posted: Sep 20, 17 11:30

Good,in the meantime I could do a few more experiments, with interesting results.
The VirtualBox parser (at least in the verison I have) is "queer".
You don' t really *need* most of the fields that the tools (originally made and surely working with VMWare) actually produce.

The bare minimum is as follows:
# Disk DescriptorFile
version=1
createType=
RW <size in sectors> FLAT "<filename>" 0
ddb.uuid.image="<UUID>"


Just for the fun of it I made a small batch to create both the "minimal" and the "canonical" version.
Code:
@ECHO OFF
SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION

IF %1.==. GOTO :Error
SET SRFull="%~dpnx1"
IF NOT EXIST %SRFull% GOTO :Error

SET SRName="%~nx1"
SET SRPath=%~dp1

::get size of Source in bytes
SET SRSize=%~z1

::get size of Source in 512 bytes sectors
CALL :to_sectors %SRSize%

::make a NOT really random 16 bytes string to be used as CID and as ddb.uuid.image
SET HexChar=0123456789ABCDEFF
SET Rand8=
FOR /L %%A IN (1,1,32) DO (
SET /a _rand=!RANDOM! %% 17
CALL :to_hexchar
SET Rand8=!Rand8!!_rand!
)

SET ddb.uuid.image="%Rand8:~0,8%-%Rand8:~8,4%-%Rand8:~12,4%-%Rand8:~16,4%-%Rand8:~20,12%"
SET CID=%Rand8:~1,2%%Rand8:~5,2%%Rand8:~9,2%%Rand8:~13,2%

:: Now the fun part, the parser of VirtualBox requires only a small subset of the data that
:: is normally in a .vmdk descriptor file and in any case there is no need of setting the geometry
:: and other ddb. fields apart from the  ddb.uuid.image
:: So, the following allows to change from the "canonical" version to the shorter one, UNREM
:: the one that you choose 
CALL :canonical
REM CALL :minimal
GOTO :EOF


:canonical
ECHO # Disk DescriptorFile
ECHO version=1
SET CID
ECHO parentCID=ffffffff
ECHO createType="monolithicFlat"
ECHO.
ECHO # Extent description
ECHO RW %SRSizeBlocks% FLAT %SRName% 0
ECHO.
ECHO # The disk Data Base 
ECHO #DDB
ECHO.
ECHO ddb.virtualHWVersion = "4"
ECHO ddb.adapterType="ide"
SET ddb.uuid.image
ECHO ddb.uuid.parent="00000000-0000-0000-0000-000000000000"
ECHO ddb.uuid.modification="00000000-0000-0000-0000-000000000000"
ECHO ddb.uuid.parentmodification="00000000-0000-0000-0000-000000000000"
GOTO :EOF

:minimal
ECHO # Disk DescriptorFile
ECHO version=1
ECHO createType=
ECHO RW %SRSizeBlocks% FLAT %SRName% 0
SET ddb.uuid.image
GOTO :EOF


:to_sectors
SET Number=%1
FOR /L %%B IN (1,1,9) DO (
CALL :divideby2
IF "0"=="!Result:~0,1!" SET Result=!Result:~1!
IF NOT DEFINED Result SET Result=0
SET Number=!Result!
)
SET SRSizeBlocks=%Result%
:EOF

:divideby2
SET Result=
::Get length of number
FOR /L %%A IN (14,-1,1) DO (
SET Part=!Number:~0,%%A!
IF !Part!==%Number% SET Length=%%A
)
SET Carry=0
FOR /L %%A IN (0,1,%Length%) DO (
IF %%A==%Length% GOTO :EOF
SET /A digit=10*!Carry!+!Number:~%%A,1!
SET /A divdigit=!digit!/2
SET /A Carry=!digit!-!divdigit!-!divdigit!
SET Result=!Result!!divdigit!
)
GOTO :EOF


:to_hexchar
SET _rand=!HexChar:~%_rand%,1!
GOTO :EOF


:Error
ECHO DOn't you like when all you get is:
ECHO an Error occurred!
PAUSE
GOTO :EOF
Virtualbox generates the ddb.geometry fields on its own, and as well once mounted it adds some of the other fields.

It is very possible that VmWare actually *needs* some of the fields I omitted, though.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 2
Page Previous  1, 2